JIYIK CN >

Installing a Secure Sockets Layer (SSL) certificate on your WordPress site enables it to use HTTPS for a secure connection. Unfortunately, there are a lot of things that can go wrong in the process of verifying a valid SSL certificate and establishing a connection between your website's server and your visitor's browser.

If you encounter the "SSL Handshake Failed" error message and are confused about what it means, remember that you are not the only one to have this problem. This is a common error that, on its own, doesn't tell you much. While this can be frustrating, the good news is that there are some simple steps you can take to fix the problem.

In this post, we’ll explain what the SSL Handshake Failed error is and what causes it. Then, we’ll provide several methods you can use to fix it.

Introduction to SSL Handshake

Before we delve into what causes a TLS or SSL handshake to fail, it's helpful to understand what a TLS/SSL handshake is. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are protocols used to authenticate data transmission between a server and an external system, such as a browser.

An SSL certificate is required to secure your website with HTTPS . We won’t get too deep into the difference between TLS and SSL as it’s a minor distinction. The terms are often used interchangeably, so for simplicity we’ll use “SSL” to refer to both.

By the way, the SSL handshake is the first step in the process of establishing an HTTPS connection. In order to authenticate and establish the connection, the user's browser and the website's server must go through a series of checks (handshakes) that establish the HTTPS connection parameters.

Let's explain: The client (usually a browser) sends a secure connection request to the server. After sending the request, the server sends a public key to your computer and checks it against a list of certificates. Your computer then generates a key and encrypts it using the public key sent from the server.

Long story short, without the SSL handshake, there is no way to establish a secure connection. This poses a significant security risk. Furthermore, there are many moving parts involved in the process.

This means there are lots of different opportunities for something to go wrong and cause the handshake to fail, or even result in a “your connection is not private” error, causing visitors to leave.

Understanding what causes SSL handshake failures

SSL Handshake Failure or Error 525 means that the server and browser were unable to establish a secure connection. This can happen for a number of reasons.

Typically, Error 525 indicates that the SSL handshake between your domain using Cloudflare and your origin web server failed:

However, it is also important to understand that SSL errors can occur on the client or server side. Common causes of client-side SSL errors include:

• The date or time on the client device is incorrect.
• The browser is misconfigured.
• Connections intercepted by third parties.

Some server-side reasons include:

• Cipher suite mismatch.
• The client used a protocol that the server does not support.
• Incomplete, invalid, or expired certificates.

Typically, if the SSL handshake fails, the problem can be attributed to a problem with the website or server and its SSL configuration.

5 ways to fix the SSL Handshake Failed error

There are several potential reasons behind the “SSL Handshake Failed” error. Therefore, there is no simple answer when it comes to how to fix it.

Luckily, there are a number of methods you can use to start identifying potential issues and addressing them one by one. Let’s look at five strategies you can use to try to fix the SSL Handshake Failed error.

1. Update your system date and time

Let's start with a less likely cause, but very easy to correct if it's the problem: your computer clock.

If your system is using the wrong date and time, this can break SSL handshakes. When the system clock differs from the actual time, for example if it is set too far away, this can interfere with SSL certificate validation.

Your computer clock may be set incorrectly due to human error or simply because your settings have a glitch. Whatever the reason, it's a good idea to check and make sure your system time is correct and update it if it's not.

Of course, if your clock shows correct information, it is safe to assume that this is not the source of the "SSL Handshake Failed" problem.

2. Check if your SSL certificate is valid

An expiration date is placed on an SSL certificate to help ensure that its verification information remains accurate. Typically, these certificates are valid for between six months and two years.

If an SSL certificate is revoked or expired, the browser will detect this and fail to complete the SSL handshake. If it's been more than a year or so since you installed an SSL certificate on your website, it may be time to have it reissued.

To check the status of your SSL certificate, you can use an SSL certificate checker tool, such as the one provided by Qualys:

This tool is both reliable and free. All you need to do is enter your domain name in the Hostname field and click Submit. Once the checker is done analyzing your site’s SSL configuration, it will show you some results:

On this page, you can check to see if your certificate is still valid and see if it has been revoked for some reason.

In either case, renewing your SSL certificate should resolve Handshake Failedthe error.

3. Configure your browser to get the latest SSL/TLS protocol support

Sometimes the best way to determine the root cause of a problem is through a process of elimination. As we mentioned earlier, SSL Handshake Failed is often caused by a browser misconfiguration.

The quickest way to determine if a specific browser is the problem is to try switching to a different browser. This can at least help narrow down the issue. You can also try disabling any plugins and resetting the browser to its default settings.

Another potential browser-related problem is protocol mismatch. For example, if the server only supports TLS 1.2, but the browser is only configured for TLS 1.0 or TLS 1.1, no mutually supported protocol is available. This will inevitably lead to a failed SSL handshake.

How you check to see if this issue is occurring will vary depending on the browser you’re using. As an example, we’ll look at how this process works in Chrome. First, open the browser and go to Settings > Advanced. This will expand a number of menu options.

Under the System section, click Open my computer's proxy settings:

This will open a new window. Next, select the Advanced tab. Under the Security section, check if the box next to Use TLS 1.2 is checked. If not, check that option:

It is also recommended that you uncheck the boxes for SSL 2.0 and SSL 3.0.

The same applies to TLS 1.0 and TLS 1.1 as they are being phased out. Once completed, click the OK button and check if the handshake error has been resolved.

请注意，如果你使用 Apple Safari 或 Mac OS，则没有启用或禁用 SSL 协议的选项。默认情况下会自动启用 TLS 1.2。如果你使用的是 Linux，你可以参考Red Hat guide on TLS hardening。

4. 验证你的服务器是否正确配置为支持 SNI

SSL 握手失败也可能是由不正确的服务器名称指示 (SNI) 配置引起的。SNI 使 Web 服务器能够为一个 IP 地址安全地托管多个 TLS 证书。

服务器上的每个网站都有自己的证书。但是，如果服务器未启用 SNI，则可能导致 SSL 握手失败，因为服务器可能不知道要提供哪个证书。

有几种方法可以检查站点是否需要 SNI。一种选择是使用 Qualys 的 SSL 服务器测试，我们在上一节中讨论过。输入你站点的域名，然后单击“提交”按钮。

在结果页面上，查找显示“此站点仅适用于支持 SNI 的浏览器”的消息：

另一种检测服务器是否使用 SNI 的方法是浏览“ClientHello”消息中的服务器名称。这是一个更具技术性的过程，但它可以提供很多信息。

它涉及检查“server_name”字段的扩展 hello 标头，以查看是否提供了正确的认证。

如果你熟悉使用OpenSSL 工具包 和Wireshark等工具，你可能会发现这种方法更可取。你可以使用openssl s_client和不使用-servername选项：

# without SNI
$ openssl s_client -connect host:port
# use SNI
$ openssl s_client -connect host:port -servername host

如果你获得两个同名的不同证书，则表示支持并正确配置了 SNI。

但是，如果返回的证书中的输出不同，或者没有SNI的调用无法建立SSL连接，则表明需要SNI但没有正确配置。解决此问题可能需要切换到专用 IP 地址。

5. 确保密码套件匹配

如果你仍然无法确定 SSL 握手失败的原因，则可能是由于cipher suite mismatch。如果你不熟悉该术语，“密码套件”是指一组算法，包括用于密钥交换、批量加密和消息身份验证代码的算法，可用于保护 SSL 和 TLS 网络连接。

如果服务器使用的密码套件不支持或不匹配 Cloudflare 使用的密码套件，则可能会导致“SSL 握手失败”错误。

在确定是否存在密码套件不匹配时，Qualys 的 SSL 服务器测试再次证明是一个有用的工具。

当你输入你的域并单击Submit 时，你将看到一个摘要分析页面。你可以在Cipher Suites 部分下找到密码信息：

你可以使用此页面来发现服务器支持哪些密码和协议。你需要注意任何显示“弱”状态的内容。此外，本节还详细介绍了密码套件的具体算法。

要更正此问题，你可以使用浏览器 工具的Qualys SSL/TLS 功能将结果与浏览器支持的结果进行比较。有关密码套件的更多信息和指南，我们还建议你查看ComodoSSLStore 指南。

总结

SSL 相关问题中最令人困惑但最常见的类型之一是“SSL Handshake Failed”错误。处理此错误可能会有压力，因为它有许多潜在原因，包括客户端和服务器端问题。

但是，你可以使用一些可靠的解决方案来识别问题并解决它。你可以使用以下五种方法来修复 SSL 握手失败错误：

1. 更新你的系统日期和时间。
2. 检查你的 SSL 证书是否有效（并在必要时重新颁发）。
3. 配置你的浏览器以支持最新的 TLS/SSL 版本。
4. 验证你的服务器是否正确配置为支持 SNI。
5. 确保密码套件匹配。